Link to .pdf
Link to Seveso Inspection Series Home Page

MJV Good Practice Report

Risk Management and Enforcement on Ageing Hazardous Sites

Risks of ageing - Strategic approaches - Risk factors - Signs of ageing - Equipment degradation - Technology obsolescence -
Obsolescence of procedures and documentation - People and organisations - Cybersecurity - Inspection visit plan - Inspection visit agenda (example)

This short report as a tool for use in inspecting EU Seveso and other hazardous sites to monitor and promote improvements in the management of risks associated with ageing of people, infrastructure, equipment and systems.  It provides an overview of the various types of ageing and how it affects safe operation and risk.  The report describes a number of practices and strategies that have been developed by operators and inspectors to heighten awareness and strengthen management of these risks.  In addition, some examples of strategies for inspections of ageing hazardous sites are provided, including a sample agenda for inspections targeting management of ageing risk.

In the European Union, a substantial number of chemical processing plants and petroleum refineries began operations at least two decades ago including a considerable number that are more than 50 years old.  A study conducted by the UK Health and Safety Executive in 2010 estimated that over 60% of the approximately 450 major accidents reported to the EU’s eMARS database from 1996 to 2006 were related to technical integrity and, of those, 50% had ageing as a contributory factor.[1] Corrosion alone has been attributed as a cause of at least 20% of major accidents in petroleum refineries in EU countries between 1984 and 2012.[2] As indicated in Figure 1, it is a multi-faceted phenomenon consisting of different types of ageing risks that must be recognised and addressed.  Moreover, there is clear evidence that ageing of hazardous sites is an important risk factor common to all industrialized countries and therefore, requires the serious attention of government authorities and in particular the relevant inspectorates. [3]

 

 Figure 1: Types of ageing (JRC, 2016) [4]

For this reason, a workshop on inspection of ageing sites was organised by the European Commission’s Joint Research Centre (JRC) together with the Maltese Occupational Health and Safety Authority in Qawra, Malta, from 8-10 April 2019.  The workshop aimed specifically at: 

• Achieving a clearer understanding of ageing and the specific risks associated with ageing
• Defining minimum expectations for hazardous site operators in managing these risks
• Sharing inspection strategies and enforcement methods for monitoring and improving ageing risk management

1.     Risks of ageing are not only present on “older sites”

Ageing starts with the project to design and build the plant. Even quite “young” plants can develop ageing-related risks if not maintained and operated properly or if unmanaged changes are made, or indeed, if design or construction flaws are not identified and corrected.

Conversely very old plants can continue operating safely if operations, maintenance, inspection and changes are all managed properly, if the procedures and other safety-critical documentation are kept up to date, if the design is routinely reviewed and modified to remain aligned with ALARP technology, and if the organizational capacity, competence and culture remain adequate, all of which rely on effective leadership and governance. All of these are essential for the management of asset integrity.

2. Strategic approaches to targeting ageing risk factors

Inspection campaigns on ageing in some countries have increased operator awareness of ageing and asset integrity management issues with some positive results.  The text box on the next page shows some of the ways in which competent authorities have targeted ageing on hazardous sites under their jurisdiction. 

A focus on asset integrity management of safety critical elements (SCEs) is in general a practical approach to dealing effectively with ageing. Under this regime, a safety critical element is defined as a part of a plant, including IT systems:

1. a) whose failure could cause or contribute substantially to a major accident, or
2. b) whose purpose is to prevent or limit the effect of a major accident.

The JRC publications on Common Inspection Criteria provide technical guidance on managing a number of such issues, in particular, maintenance of primary containment systems, management of change, safety instrumented functions, and pressure relief systems.

3. Risk factors associated with ageing

While mechanical integrity is an essential part of ageing management, ageing risk comes from aspects of plant management and operations that change over time.  In particular, people and designs that run the plants can also age creating a diverse set of ageing challenges.  In general, risks arising from ageing can be placed under the following headings: 

• Equipment degradation
• Technology obsolescence
• Obsolescence of procedures and other safety-critical documentation
• People and organization
• Cyber security

The sections that follow describe how these different elements elevate risk and various strategies for reducing those risks that have been shared by various industry representatives and government inspectorates.

Table 1. Potential signs of elevation of ageing risks

Significant change in circumstances, e.g., ownership change, prolonged economic downturn, pandemic (resulting in postponed maintenance or plant upgrading, reductions in staffing etc.) Lack of or inadequate management procedures addressing ageing phenomena Missing documentation of safety critical equipment specifications, functions, conditions of use, etc.) Competence of contractor maintenance personnel  inadequately managed (e.g., records of training and competence assessment missing or not aligned with responsibilities for performing safety critical tasks, safety critical information not made available to contractors) Unclear process for determination of and identifying Safety Critical Elements (SCEs) Lack of information about degradation mechanisms and rates for SCEs  More complex or technologically advanced equipment that is more vulnerable to lack of maintenance (e.g., control and instrumentation systems, process designs utilizing extreme temperatures, pressures or reactivity, or use of modular construction with reduced equipment spacing and maintenance access) Notable degradation of facilities, e.g., peeling paint, rusted equipment, poor housekeeping Frequent near misses associated with mechanical integrity failures

 

3.1.    Equipment degradation

The risks arising from equipment degradation depend on the specific applications. Important specific risks arising from equipment degradation include failure, loss of containment or other major incidents due to corrosion, erosion, fatigue, and failures of protections against these forces.  Some of the most common phenomena include:

• Corrosion of piping, including corrosion under insulation (CUI) and corrosion under pipe supports (CUPS)
• Corrosion of storage tanks,e.g., bottoms, roofs and walls. Also, tank linings can exacerbate corrosion
• Corrosion and fatigue of small-bore piping and instrument connections
• Erosion and corrosion of pump seals, especially with aggressive process materials or environmental conditions
• Corrosion of bolted joints, exacerbated by galvanic action due to incompatible materials
• Corrosion occurring as a result of inadequate maintenance of cathodic protection systems
• Fatigue and corrosion due to high pressure, temperature, or  an intense cycling rate
• Degradation of electrical insulation (e.g underground HV cables), corrosion of terminations: over-heating or arcing ignition source

Underlying factors leading to these risks include:

• Inadequate identification of safety critical equipment (SCEs), e.g., a pressure gauge on 140 bar pipeline that broke off due to fatigue failure resulting in a 22 tonne gas release
• Inadequate monitoring of SCEs, exacerbated by lack of a risk based inspection (RBI) methodology
• Inadequate management of change procedures
• Inadequate plant operation, e.g., operating beyond design limits, stress cycling of hot or cold units resulting in thermal shock, incorrect start up or shut down procedure, etc.

Rather than viewing ageing as something that applies only to “old” plants, the asset integrity of all SCEs should be managed systematically, including using RBI.  Notably, some new plants have developed ageing problems due to poor maintenance and lack of, inadequate implementation of, management of change procedures.  For example, at a large liquefied natural gas plant, the pressure safety valves (PSVs) “lost” their electrical trace heating and insulation and as a result became inoperable. As a result, the plant had an emergency shut down.

For a particular site, each SCE should be identified by a transparent risk-based process and listed in an asset register by tag number, line number, and location together with its specific operating limits and minimum performance criteria. Its condition should be managed, taking account of its known degradation mechanisms and degradation rates.  Typically, the list of SCEs will include tanks, vessels, pumps, valves, piping systems and their supports, and also electrical power distribution systems and instrumentation and control systems.  

3.2.      Technology obsolescence

Risks arise from safety-related technology becoming obsolescent or obsolete.[1] This situation can often occur when plant design no longer meets quantitative risk criteria.  Some signs of obsolescence of this type, as evidenced by past chemical accidents, include atmospheric vents that are not connected to the flare, storage tanks without  overfill protection, dead legs in piping, an excessive inventory of toxic materials, no design for safe isolation with double block and bleed valves or remotely operated shutoff valves (ROSOVs) for emergency isolation, inadequate control room graphics or poor alarm management, and control room design that does not meet current good practice.

Furthermore, SCEs can also be compromised due to the unavailability of original equipment manufacturer (OEM) spares, use of counterfeit spares and consumables (See OECD/EUIPO Report 2019), the unavailability of OEM technical support for maintenance, and loss of control due to obsolescence of control systems. A number of underlying factors may lead to these risks including inadequate design review and inadequate procurement management.

Risk management expectations
Firstly, as indicated in the CCPS Guidelines on Risk Based Process Safety, there should be a management process that reviews plant design routinely to ensure design adheres to established performance standards for process safety risks, e.g., as low as reasonably practicable (ALARP), inherent safety, Safety Integrity evaluations, total quality management, etc., taking into account  feedback from performance metrics (if available) and considering current or expected changes in operating conditions.

The frequency of design review should be determined on a risk basis.  For example, the design of a high hazard, complex or novel plant, might typically be reviewed at a greater frequency, e.g., once a year, whereas that of a lower hazard simple plant of well-established design, might take place less often, e.g., once every 5 years. 

Secondly, there should be a strategy for procurement that includes routinely reviewing:

• The availability of spare parts during the life of any SCE
• Adequate quality management of spare parts
• The availability of technical support for maintaining and repairing SCEs

In particular, the review should identify and address any risks that threaten continuity or quality of future maintenance and repair of such equipment. 

3.3.      Obsolescence of procedures and other safety-critical documents

Risks arising from obsolescent or obsolete procedures include failure and loss of containment due to operation outside of design limits, and other incidents such as fires explosions or toxic releases resulting from maloperation or maintenance error. These can arise from:

• Procedures not aligned with actual working practices, especially operations and maintenance
• Procedures not aligned with current plant design after changes have been made
• Procedures or other documents that are unavailable. inaccessible, missing, incomplete or incorrect
• Other safety-critical documents that could be, unavailable, inaccessible, missing, incomplete or incorrect

Underlying factors leading to these risks include inadequacies in a number of areas including poor management of safety-critical documentation; failure to transfer necessary information to contractors; insufficient supervision of safety-critical operations and maintenance work; checking that procedures are followed in practice; inadequate audit of procedures and other safety-critical documentation; and failure to conduct a management of change when necessary.  Missing or incomplete documentation on specifications and functionality (e.g., drawings, equipment datasheets) and equipment construction (indicating equipment manufacture and construction quality) is a routine finding during inspections of hazardous sites in many countries and has been cited as a contributing factor in many serious accidents (see the U.S. Chemical Safety Board Report on the Richmond, California, USA accident in 2012 and the JRC Lessons Learned Bulletin on Ageing.)

Risk management expectations
The operator should be able to give evidence that there is effective management of safety-critical information that establishes, maintains and facilitates access to all safety-critical information relevant to the site. To be effective, the documentation system should include all of the following elements in some form:

• Asset integrity management information including records of design, construction and inspection
• Plant operating procedures, job aids and checklists
• Maintenance procedures and records for all SCEs
• Inspection procedures and records for all SCEs
• Management of change (MOC) records
• Competence records, including contractor personnel
• An organigramme showing responsibilities and authorities of management and staff supporting the safety management system

3.4     People and organisations

People and organisational factors are increasingly common factors that can lead to the elevation of chemical accident risk. Changes in management, downsizing, loss of personnel due to retirement, and increasing reliance on contractors over time, are some of the ways in which valuable knowledge and competence for the safety of the plant may exit an organisation. A site can lose technical competence and understanding of how various processes have been designed and operated.  Also, knowledge of the history of changes that have been made over time can be lost, leading to mistakes affecting plant safety.

When no one remembers any more what happens when certain process parameters or procedures are not respected, the risk of an accident is increased.  Accidents have been known to occur when the wrong equipment is used, for example, when it is re-used in a way for which it was not designed. 

Replacement equipment and parts may also be configured to the wrong specifications, as can happen when pipework is replaced without respecting the design and operational conditions of the plant.  As one example, there are many documented cases in which a refinery had numerous incidents from mechanical integrity failures, because replacement piping did not take into account long term exposure to chemical attacks.[2] This neglect may be influenced by a number of factors, including lack of documentation, turnover in ownership, low profitability, and outsourcing of maintenance. 

Risk management expectations
Any organisational change should be managed so that process safety risk controls remain effective. In this respect, preserving the historical perspective, by conserving the memory of past accidents and consultation with experienced and competent staff, can be critical to ensuring continuous attention on known potential risks, and managing change safely.  Key expectations are adequate management of the following, which often arise as weaknesses:

• Resourcing of operations and maintenance, that is, the staffing levels of operator and technicians, first line supervisors and professional engineers
• Competence of people performing safety-critical work, especially in operations and maintenance, and in the control room, where process integrity is also monitored
• Succession planning especially for key positions such as plant manager, engineering manager, etc.
• Leadership and governance

Specific and detailed publications on organisational change, managing staff and competence at hazardous sites, and on corporate governance and leadership can be found at the end of this document.

3.5.      Cyber security

Since around 2000, industrial automation and control systems (IACS) such as distributed control systems, programmable logic controllers and supervisory control and data acquisition systems (DCS, PLC and SCADA systems) at many Seveso sites have become increasingly web-based, enabling user monitoring and intervention via remote access from servers, laptops or mobile devices.  Although this has greatly improved system functionality it has also greatly increased cyber security risks.

The integrity of IACS can be compromised by ageing mechanisms similar to other plant infrastructure, including equipment degradation, obsolescence of documentation, loss of corporate knowledge, and technical competence.  The general rapid rate of change in the IT world also means that IT systems can age more rapidly than physical infrastructure, by which technology and competences to manage technology can become quickly obsolete.

The operator should be aware of the potential weaknesses in the IT system, especially where older equipment and technology are still in use.  In particular, the safety management system should be comprehensive of risks associated with the IT system, including interfaces with old and new systems, vulnerable equipment, and practices related to who has passwords and access to the systems. Many sites have developed formal strategies in this regard, but numerous other sites are still evolving in this direction.

Table 2.  Example of an Inspection Visit Plan and Checklist for ageing/asset integrity management Inspection

Before visit – Preparation – Obtain and review the following materials Safety Report / Major Accident Prevention Policy (MAPP) Documentation of the Safety Management System, including details of organisation, roles and responsibilities Reports from previous inspection visits Details of recent, current or planned ownership changes or other organisational changes, capital projects and shutdowns / turnarounds Maintenance plans and records Inspection plans and records, including 3rd party inspections Management of Change records Investigation reports of process safety incidents in recent years or since the last inspection Site Visit (see “Example Inspection Visit Agenda” on the next page) Tour the plant to gain familiarity, observe general housekeeping, identify older and newer parts, etc. Assess how asset integrity is managed How complete is the asset register? Are SCEs clearly identified? How are SCEs defined? How is degradation of SCEs defined and monitored? Are all mechanisms and rates documented? Is there an RBI process? If so, how does it work? Are procedures for operating and maintenance complete and kept updated? Are competence assurance records of people performing safety critical activities complete and kept updated? Perform spot checks of current maintenance work and compare the job with “before” and “after” records (i.e., how the job was planned and how it was documented following completion) Other options for the inspection visit: Observe operations in the control room, e.g., distributed control systems, programmable logic controllers and supervisory control and data acquisition systems (DCS, PLC and SCADA systems) How are operating procedures used? Ask workers about any problems with procedures Assess operator understanding of the plant hazards and risk control barriers Assess operator non-technical skills Situation awareness (e.g., knowledge of current plant state and active permit-to-works (PTWs) Communication (e.g., between control room and field, effectiveness of shift handover) Review documents available in the control room (e.g., plant and instrumentation diagrammes (P&IDs), plant drawings, procedures Review PTW records / Perform a spot check in the field on work being conducted under an active PTW /Ask workers about any problems (Does this belong under the control room? If so, why?) Review internal inspection plan / Observe inspection activities in the field /Ask workers how they do it Review the maintenance plan / Observe activities in the field/Ask workers about any problems Inspect electrical power distribution, uninterruptible power supply (UPS), motor control centre (MCC), field equipment / Ask workers about whether they are aware of any problems relating to these Review management of procurement and contracting, including quality management and competence assurance procedures Review the management of change process and records / Ask workers about how and when they use it

 

Table 3.  Inspection of an Ageing Seveso Site – Example of an Inspection Visit Agenda
(To complete all of these topics may require several visits; some topics could be addressed remotely)

TOPIC WHO DETAIL Introduction & Briefing Senior manager responsible for the site Nominated host Other managers Brief the facility staff on purpose of the visit Discuss arrangements for the inspection Role of nominated host to facilitate access to plant, people and information   Process Safety Management Senior manager responsible for the site The senior manager should explain the major process safety hazards and risks and how they are managed, how the safety management system works Role of the safety team; worker engagement Key outcomes of incidents and complaints; current status of required actions Asset Integrity Management Senior manager responsible for the site The senior manager should explain how asset integrity is managed, including design, maintenance, operations, the roles and responsibilities for these and how they relate to the safety management system Capital replacement program Senior manager responsible for the site Describe plans for replacing obsolescent equipment Plant tour Nominated host Other managers Familiarisation for new inspectors Maintenance Maintenance manager Maintenance management system Asset register - SCE definition and list What SCE degradation mechanisms have been identified? How is corrosion managed? (e.g., piping including CUI and CUPS) How is condition of electrical equipment and cabling monitored?  (Thermal Imaging?) How are competence and capacity of maintenance personnel managed? How is quality of maintenance work assured? What is the role of supervisors in this? Operations Operations Manager Management of operating procedures (Review and revision process and status) Operating window; monitoring of plant operating parameters; documentation Describe the management of change system; records of management of change How are competence and capacity of operations personnel managed? How is integrity of operations assured? What is the role of supervisors in this? Design and Standards Engineering manager What design documents are held? What technical standards are used for design and Technical Integrity? Documentation? Describe the management of change system; records of management of change How are utilities (electrical power, water, air, etc.) assured for safety critical plants? Inspection Inspection / Technical authority manager How are SCEs assured to be fit for continued operation?  Documentation? How is integrity of fire protection and firefighting systems managed? Documentation? How is competence and capacity of inspection personnel managed? How is quality of inspection work assured? What is the role of supervisors in this? How is quality of third party inspections assured? Plant Control Systems  Control and instrumentation manager Strategy for managing ageing of control systems and documentation Procurement Responsible manager Technical specification, availability and quality management of spare parts for SCEs Contracting Responsible manager How is competence of contractors assured? Follow-up field inspections Nominated host Observe control room operations; follow-up of operations Spot checks of procedures; competence; supervision Follow-up field inspections Nominated host Observe Maintenance activities; follow-up of Maintenance Spot checks of procedures; competence; supervision Follow-up field inspections Nominated host Observe Inspection activities; follow-up of Inspection Spot checks of procedures; competence; supervision Inspectors Review Inspectors Inspector teams prepare for close-out discussions Review with Site Manager Senior manager responsible for the site Discussion and debrief with site manager (alone) Inspection Close-out All those involved with the inspection Summary of Inspection; Key findings; next steps

 

References

• Health and Safety Executive (2010), Plant Ageing Study: Phase 1 Report, RR823, Prepared by ESR Technology Limited for the Health and Safety Executive, 2010
• Wood, M., A. Vetere Arellano, and L. Van Wijk, 2013, Corrosion‐Related Accidents in Petroleum Refineries, Lessons learned from accidents in EU and OECD countries, EUR 26331 EN, Luxembourg, Publications Office of the European Union, 2013, ISBN 978-9279346521, doi:10.2760/441934, JRC25933
• Organization for Economic Cooperation and Development (OECD), Ageing of Hazardous Installations, OECD Environment, Health and Safety Publications, Series on Chemical Accidents, No. 29,ENV/JM/MONO(2017)9
• European Commission Joint Research Centre, 2016, Lessons learned from major accidents relating to ageing of chemical plants, Major Accident Hazards Bureau, JRC100622

Additional resources

Guidance on Asset Integrity Management

• COMAH Competent Authorities (United Kingdom), Mechanical Integrity Operational Delivery Guide
• Center for Chemical Process Safety, Guidelines for Asset Integrity Management
• Center for Chemical Process Safety, Dealing with Aging Process Facilities and Infrastructure
• ISO 55000:2014, Asset Management — Overview, principles and terminology
• EN 16991:2018, Risk Based Inspection Framework, CEN/TC 319 - Maintenance  
• American Petroleum Institute, Risk Based Inspection, API Recommended Practice 580
• American Petroleum Institute, Integrity Operating Windows, API Recommended Practice 584

Examples of guidance on managing specific ageing-related risks

• Energy Institute, EI Research Report: assessing and managing ageing plant at bulk liquid storage facilities,
• National Fire Protection Association, NFPA 70B Recommended Practice for Electrical Equipment, Maintenance (includes guidance on hot-spot detection using Thermal imaging Infra-Red cameras)

Knowledge management

• ISO 30401:2018, Knowledge management systems — Requirements
• Puyosa, P. Hector, Knowledge Management applied to Chemical Process Safety

Organisational and staffing guidance

• Health and Safety Executive (United Kingdom), Organisational change and major accident hazards
• Health and Safety Executive (United Kingdom), Assessing the safety of staffing arrangements for process operations in the chemical and allied industries
• Energy Institute, Safe staffing arrangements - user guide for CRR348/2001 methodology,
• Health and Safety Executive (United Kingdom), Competence assessment for the hazardous industries
• Organisation for Economic Cooperation and Development (OECD), Corporate Governance for Process Safety

 

^[1] Obsolescence is the state of being which occurs when an object, service, or practice is no longer wanted even though it may still be in good working order. Obsolete refers to something that is already disused or discarded, or antiquated. (Wikipedia)

PDF Version for printing

Risk Management and Enforcement on Ageing Hazardous Sites

Go back to the Common Inspection Criteria website